OKTA
This feature is currently in Beta.
Introduction
In this article, you’ll learn how to integrate OKTA with an Acreto Ecosystem. The OKTA integration allows your Acreto Ecosystem to utilize the user credentials managed by OKTA to connect to the Ecosystem using Acreto TLS Client.
It uses the LDAPS (LDAP Secure) protocol and the OKTA LDAP Interface which can be deployed on the OKTA account.
Steps
This process involves the following steps:
- Enable OKTA LDAP Interface
- Configure Acreto Ecosystem
- Define Security Policies
- Test the integration
How OKTA integration works
The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.
In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.
The integration uses a read-only connection that never writes to the OKTA. It only queries for information.
Limitations
-
All authentication requests originate from Acreto Ecosystem addresses. Therefore, it’s not possible to implement granular network-based access control on OKTA. See relevant article in OKTA documentation.
-
We recommend using OKTA Verify Push Verification method for multifactor authentication. If you want to use other methods, see Use multifactor authentication with the LDAP Interface.
Prerequisities
To proceed with setting OKTA for Acreto Ecosystems, you need:
- OKTA account with admin rights
- Create and login to Acreto Ecosystem
You should also be familiar with:
- Acreto Identity Providers Overview
- OKTA documentation: Set up and manage the LDAP Interface
How To
Step 1: Enable OKTA LDAP Interface
To configure your OKTA account, you need to enable the OKTA LDAP Interface. Please go through the following procedures:
- Enable OKTA LDAP Interface
- Read OKTA LDAP configuration details:
- In the Admin Console, go to Directory(1) > Directory Integrations(2).
- Select LDAP Interface(3)
- Note displayed information
- Create OKTA Third-Party Administrator account with read-only administrator role. This administrator account will be used by Acreto Ecosystem to authenticate with OKTA.
Ensure that created Third-Party Administrator account will not be challenged with OKTA Multifactor Authentication for requests originating from your Ecosystem IP addresses. You also need to whitelist the following addresses on your server section of the Identity Provider creation page in step 2.
Step 2: Configuration of Acreto Ecosystem
-
Add New Identity Provider
To add a new Identity Provider:
- Select Objects and Identity Providers from the left menu.
- Click on “Add New”.
- Fill in the following information:
- Name and Description
- Host, User Base DN, Group Base DN - as provided on OKTA LDAP Interface settings screen
- Username and Password - credentials of the OKTA Third-Party Administrator account created in step 1
- Save your changes.
-
Create Security Policy to allow traffic sent by your users
When you create a new Identity Provider, a new Profile Group is created with a name containing Identity Provider name, for example:
Identity Provider LDAP001 (fa45). By default, all users authenticated with this Identity Provider are assigned to that Profile Group.To allow traffic from your users using that Identity Provider, select this Profile Group in the Source field of Security Policy. For detailed instructions on creating a Security Policy, see Create first security policy.
-
Commit your changes
Step 3: Testing
To test the integration:
- Generate Onboarding Portal Link
- Open generated Onboarding Portal Link and follow the instructions
- Connect to your ecosystem providing username and password managed by OKTA
To get more information about end-user onboarding experience, see onboarding documentation
Next steps
- Customize your security policies
- Define mappings of LDAP groups to Identity Provider groups
- Send invitations to your users
Summary
Thanks to Acreto and OKTA Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.
See also
- OKTA documentation:Set up and manage the LDAP Interface